My problem is that I've written an application entirely using CNG on Windows 7, and now I have to port it backwards to Vista. Vista has CNG of course, but the SSL provider is an older version and is not always compatible - for example it won't import opaque keys exported from the Win7 version of the same provider.
E.g. this code works fine:
SslImportKey(hProvider, &hKey, BCRYPT_OPAQUE_KEY_BLOB, pBuffer, dwBufferSize, 0);
...when importing keys generated on another machine with the same provider version (basically with the same OS & service pack) on it. But it fails with NTE_INVALID_PARAMETER if the two machines don't have the same service packs. (Ignore what MSDN says, you get this error code for several reasons, not just when hKey is NULL...)
I guess the opaque key format has changed between versions of the provider DLL. But I find it surprising that it's not backwardly compatible e.g. Win7 can't import keys exported from Vista.
I'd like to avoid having to re-write the whole thing using the older CAPI (which seems to be present on both platforms). Is there any way I can maybe statically link to the right libraries, so that I carry the right code with the application and it doesn't matter which version of the SSL provider is installed on the machine? Or is there any way to redistribute CNG providers, maybe having multiple versions of the same provider co-existing on the same machine?